Create an anonymous Whonix environment on NixOS
The why
I’ve spent significant time using QubesOS on various computers, and I’ve been thoroughly spoiled by the VM magic Zen and the Qubes team have enabled. For a few reasons though, I’ve recently switched my main laptop from running QubesOS to NixOS. NixOS is great: it’s declaratively managed, fast, stable, has tons of fresh packages, but I can’t help but feel like my trust in the system has decreased a little bit due to the lack of isolation via virtualization that QubesOS provides.
Luckily, while VMs are fantastic to use especially with QubesOS, it’s very much possible to get some of the benefits of QubesOS on a host Linux system like NixOS.
To demonstrate this, I’ll be going through a Whonix installation on NixOS using KVM, nix.configuration, and home-manager. I’ll talk a bit about the security trade-offs of using KVM over VirtualBox or on QubesOS, and how Whonix can be a useful tool for elevating your secure posture, protecting your host from malware and your activity from being deanonymized.
What’s Whonix?
Whonix is a 2-VM setup for compartmentalizing your computing, and uses the Tor Network to keep your activity anonymous. It runs on KickSecure (hardened Debian).
The Whonix “Gateway” VM creates, maintains, and makes available a ’Tor-ified’ network connection for the Workstation.
The Whonix “Workstation” VM is where you’ll do your actual computing. It comes with a graphical XFCE desktop with a suite of applications. You can use the build-in Tor Browser to browse anonymously, or use any of the other included applications and have all of it routed through Tor.
KVM vs VirtualBox
Whonix supports 2 type-2 hypervisors: KVM and VirtualBox. KVM is build into the Linux kernel, and is thus fully Free Software. VirtualBox is developed and maintained by Oracle, and is not Free software. I’ll be using KVM for these examples, but there’s a convenient guide for VirtualBox.
KVM vs QubesOS Zen
Hypervisor simplicity
KVM is part of the Linux kernel, meaning that the virtualization is being done by a larger, monolithic program than a type-1 hypervisor like Zen, with a larger attack surface.
Type-1 vs type-2 hypervisor
KVM runs on a host Linux system, and therefor the contents of the VM are only as secure as the host system. This is perhaps the biggest downside to running this KVM setup over Qubes in terms of security. I’d recommend delegating any risky activity to VMs like Whonix to try to mitigate the risk of malware running on your host system.
No sys-net/firewall/usb/audio/etc.
QubesOS uses VMs to compartmentalize the hardware, and running Whonix on a Linux host keeps those in the domain of the large Linux kernel.
Performance
Whonix on KVM performs about as well as on QubesOS (varying based on how much virtual CPU/memory you allocate of course), but a big benefit of having a Linux host is that the applications ran in it won’t be slowed down by virtualization. Risky activities can be compartmentalized while keeping the main system fast and convenient to use.
Relevant Whonix security documentation
The advantages QubesOS has over KVM listed above are just a few basic examples. QubesOS has a much more robust security model in many ways, and if your security is essential, you should understand the downsides:
Installing Whonix on KVM
Make sure to check the relevant NixOS and Whonix documentation to ensure these examples are up-to-date. Always be weary of executing commands from a random blog on the internet, and go to the source whenever possible.
Some of this setup (packages, user groups, dconf settings, the actual virtualization setup) is declaratively configured, but many of the commands to set up Whonix are not. On a fresh NixOS system build with your configuration.nix, you’ll still need to download the Whonix images and set them up with the commands outlined below. It’s possible more (or even all?) of this could be done declaratively with more NixOS knowledge.
Installing KVM + Virt-manager
Enable libvirtd and virt-manager
# /etc/nixos/configuration.nix virtualisation.libvirtd.enable = true; programs.virt-manager.enable = true;
Add user to the libvirtd group
# /etc/nixos/configuration.nix
# Replace USER with your username
# extraGroups will likely be populated, just add libvirtd to whatever's already there
users.users.USER = {
extraGroups = [ "libvirtd" ];
};
Enable qemu connection by adding dconf settings through home-manager
# /etc/nixos/configuration.nix
# Replace USER with your username
home-manager.users.USER = { pkgs, ... }: {
# Point virt-manager to qemu as a source for virtualization
dconf.settings = {
"org/virt-manager/virt-manager/connections" = {
autoconnect = ["qemu:///system"];
uris = ["qemu:///system"];
};
};
};
Start qemu’s virtual networking, allowing VMs to communicate
# Start qemu networking sudo virsh -c qemu:///system net-autostart default sudo virsh -c qemu:///system net-start default
Download the Whonix XFCE .qcow archive
- You can the most up-to-date versions directly from their website:
- https://www.whonix.org/wiki/KVM#Download_Whonix
- You can optionally append ’.torrent’ to the direct download URL on their site to download the torrent file. This can be used in any BitTorrent client to download with faster speeds and without using as much of the project’s bandwidth. If you have a BitTorrent client I recommend this method.
Extract the archive
Make sure your working directory and archive are both in your home directory. (You may need to mv ~/Downloads/Whonix* ~/)
# Unpacking archive with gnu tar [~/]$ tar -xvf Whonix*.libvirt.xz
Agree to the Whonix Binary License Agreement
To read the agreement, use:
# Prints the license agreement [~/]$ more WHONIX_BINARY_LICENSE_AGREEMENT
Assuming you agree:
# Creates an empty file "..._accepted" that tells Whonix you agree [~/]$ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
Setup Whonix virtual networks
# Add virtual networks sudo virsh -c qemu:///system net-define Whonix_external*.xml sudo virsh -c qemu:///system net-define Whonix_internal*.xml # Activate the networks sudo virsh -c qemu:///system net-autostart Whonix-External sudo virsh -c qemu:///system net-start Whonix-External sudo virsh -c qemu:///system net-autostart Whonix-Internal sudo virsh -c qemu:///system net-start Whonix-Internal
Import Whonix Gateway and Workstation images
# Creates two qemu profiles for the Whonix VMs sudo virsh -c qemu:///system define Whonix-Gateway*.xml sudo virsh -c qemu:///system define Whonix-Workstation*.xml
Image File Installation
# Assigns those qemu VMs to the Whonix .qcow2 images [~/]$ sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2 [~/]$ sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
Remove Whonix home clutter
# WARNING: running this command will delete every file that starts with "Whonix" or "WHONIX" in your working directory. [~/]$ rm Whonix* [~/]$ rm -r WHONIX*
Post-installation
Use the virt-manager application to start Whonix-Gateway, and open its terminal. We’ll use setup-dist to create your Tor connection and otherwise prepare Whonix for use.
# Whonix Gateway VM [gateway user ~]% sudo setup-dist
Upgrade the system to pull the latest packages:
# Whonix Gateway VM [gateway user ~]% sudo apt-get dist-upgrade
Start the Whonix Workstation, and repeat the upgrade step:
# Whonix Workstation VM [workstation user ~]% sudo apt-get dist-upgrade
Using Whonix
Assuming the VMs are booting properly and can receive updates, you should be good to go! You now have a compartmentalized environment where your traffic will be anonymized, and any malware should generally be contained to the VM (sophisticated enough malware could theoretically jump the KVM hypervisor, but if that’s part of your threat model you probably shouldn’t be getting security advice from this blog :P)
Some tips
Basic applications
- Tor Browser: Fingerprinting-resistant browser made for anonymous internet use
- VLC: Video player capable of playing almost media file you throw at it
- KeePassXC: Offline password manager
- GPA (Gnu privacy assistant): Graphical manager GPG/crypto functions
- Electrum: Bitcoin wallet
- Thunderbird: Mozilla email/calendar/RSS client
- and more!
Staying secure and anonymous
Think before you act! Whonix gives you a good platform for staying anonymous, but you can absolutely de-anonymize yourself if you’re not careful.
- If you’re signing into a service over Tor, understand that the service can tie your actions to your current Tor identity. You can’t sign into your personal Facebook over Tor and expect that Facebook won’t know exactly who you are.
- If you’re talking in some IRC channel, be skeptical about sharing information about yourself.
- If you’re using Electrum wallet to manage Bitcoin, understand the privacy implications of Bitcoin and where you’re sending/receiving from.
- Installing extra extensions in the Tor Browser can affect your footprint and make you stand out from other Whonix users
- etc, etc, etc
There are an uncountable number of ways you could de-anonymize yourself, so stay vigilant. Understand the technology you’re using, the information you’re putting out, and put yourself in the perspective of an adversary trying to de-anonymize you.
- Use a live system when possible
When you’re booting the Workstation VM, you can select the option to run it ’live’. This means that when you shutdown the VM, everything you did during the session is erased.
This can be useful, if say, you’re vising a sketchy site and end up installing malware. Just reboot the VM and you’re back to a clean state.
Ideally, you should only use Whonix persistantly for updating and installing packages from the Whonix repositories. You may want to also use a persistant session for setting up credentials in your KeePassXC database or setup GPG keys, but keep as much sporatic browsing as possible in the live mode.
- Optionally disable Javascript in Tor Browser
Javascript adds a massive attack surface to your browser, and disabling it can remove entire categories of browser-based malware. But, many many sites rely on Javascript for basic functionality.
Personally, I keep Javascript on because I trust KVM to contain malware relatively well, and I only use the Tor Browser in live mode so any potential malware will be wiped on reboot.
If you care about further hardening the setup, and are willing to break many websites, Javascript can easily be disabled by setting the Tor Browser security level to the highest option.